28000eba88463ba310006a12861b48fc9335d93053b91e71e537d36daa09f6e0

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2023, 07:46

Target

Purchase order ST023Z499740 & Company profile_pdf1.exe
Size

349KB
MD5

106711a5c03e6bb7c03ff889b1c2c213
SHA1

59a0b6c3f17d8c68bbf249dac4e606ecef4b249e
SHA256

28000eba88463ba310006a12861b48fc9335d93053b91e71e537d36daa09f6e0
SHA512

285967f17c3d5bc89e2821acbddbb4ee77b5883819516743d4b4c3b949c35cfadf06748463bdb9c0d476f45a12b1b4f3704c07654608bc5042b84de85a5308be
SSDEEP

6144:NpWQN9rSwaEj28RLURnZpd4wipbpdhws4rcDJvaQLhKK/qPONI:XWcLF28RLknZpdViRp3vOckQLPJ

Score

7^/10

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/4980-133-0x000002A557AD0000-0x000002A557B2C000-memory.dmp	net_reactor

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4980 set thread context of 4800	4980	Purchase order ST023Z499740 & Company profile_pdf1.exe	85

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4980	Purchase order ST023Z499740 & Company profile_pdf1.exe
4980	Purchase order ST023Z499740 & Company profile_pdf1.exe
4980	Purchase order ST023Z499740 & Company profile_pdf1.exe
4980	Purchase order ST023Z499740 & Company profile_pdf1.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe
4800	Caspol.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	Purchase order ST023Z499740 & Company profile_pdf1.exe
Token: SeDebugPrivilege	4800	Caspol.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 1600	4980	Purchase order ST023Z499740 & Company profile_pdf1.exe	83
PID 4980 wrote to memory of 1600	4980	Purchase order ST023Z499740 & Company profile_pdf1.exe	83
PID 4980 wrote to memory of 1600	4980	Purchase order ST023Z499740 & Company profile_pdf1.exe	83
PID 4980 wrote to memory of 3136	4980	Purchase order ST023Z499740 & Company profile_pdf1.exe	84
PID 4980 wrote to memory of 3136	4980	Purchase order ST023Z499740 & Company profile_pdf1.exe	84
PID 4980 wrote to memory of 3136	4980	Purchase order ST023Z499740 & Company profile_pdf1.exe	84
PID 4980 wrote to memory of 4800	4980	Purchase order ST023Z499740 & Company profile_pdf1.exe	85
PID 4980 wrote to memory of 4800	4980	Purchase order ST023Z499740 & Company profile_pdf1.exe	85
PID 4980 wrote to memory of 4800	4980	Purchase order ST023Z499740 & Company profile_pdf1.exe	85
PID 4980 wrote to memory of 4800	4980	Purchase order ST023Z499740 & Company profile_pdf1.exe	85
PID 4980 wrote to memory of 4800	4980	Purchase order ST023Z499740 & Company profile_pdf1.exe	85
PID 4980 wrote to memory of 4800	4980	Purchase order ST023Z499740 & Company profile_pdf1.exe	85

C:\Users\Admin\AppData\Local\Temp\Purchase order ST023Z499740 & Company profile_pdf1.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order ST023Z499740 & Company profile_pdf1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
  2⤵
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
  2⤵
  PID:3136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4800

memory/4800-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4800-136-0x0000000001300000-0x000000000164A000-memory.dmp

Filesize
3.3MB

Download
memory/4800-137-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4800-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4980-133-0x000002A557AD0000-0x000002A557B2C000-memory.dmp

Filesize
368KB

Download